The infrastructure area of the taxonomy concerns the threats to the security of services on the infrastructure layer. The infrastructure layer is divided into the four areas of physical security, host, virtualization and network which consti-tute the core components of the cloud infrastructure. Although users of a cloud infrastructure service do not usually have any influence on these core compo-nents, they should nonetheless be aware of the potential threats to security which exist at this level. The complexity of cloud infrastructures also makes it very difficult for users to evaluate their security and leaves them with little choice but to trust the cloud resource provider.
5.2.1 Physical security
The physical security of cloud computing systems encompasses the facilities and building services in which cloud computing systems are located or of which they are a part. Examples of security factors include computer power supplies and cooling systems as well as controlled access to the building, video camera surveillance and the location and structure of datacenters [10] [21]. A power failure, for example, can easily impact the protection goal of availability [39].
The removal – i.e. theft – of computers from the building may, for example,
5 Taxonomy of the security aspects of cloud computing systems
contravene the protection goal of confidentiality. The structure of the datacen-ter can also influence the expandability of the cloud computing system and lead to bottlenecks in the performance offered by a fast-growing cloud vendor.
Most enterprises contract building security out to external firms [7]. However, users should check who is authorized to enter specific areas of the datacenter and to request such information from the cloud vendor in writing where rele-vant. It is also important to specify the incidents – such as power or CCTV fail-ures, changes in building access controls or the relocation of the computer to a new datacenter – about which the cloud vendor must alert the cloud consumer.
Physical security checklist
• Does the consumer have access to CCTV data or recordings made by the cloud vendor’s access control systems in the event that a notifiable inci-dent occurs?
• Do all the cloud vendor’s datacenters use the same physical security stan-dards?
• What physical security measures are taken by the datacenter which holds the consumer’s data?
• In what way is the datacenter secured?
• How is access to the building secured?
• Are access cards, biometric procedures, video camera surveillance, build-ing surveillance and the permanent accompaniment of guests in the data-center guaranteed?
• What alarm systems are used?
5.2.2 Host
The host provides the environment in which the processes and their calculations are carried out. This makes very tough demands on security in terms of the pro-tection of the processed data, the availability of the host and the reliability of the calculations carried out on the host.
Potential threats to the data protection goals usually originate in applications running outside the user environment which may affect data within the user environment. If a potential attacker’s application is able to influence local data – where local refers to the same physical computer on which both the attacker and user run their applications – it will also be able to change or destroy such data or make the local environment unusable. Isolation helps to keep and run potential attackers’ external applications in a protected environment so that, ideally, malicious applications are not able to leave their assigned environment.
The virtualization concept is used in cloud computing systems with the aim of
5 Taxonomy of the security aspects of cloud computing systems
isolating several user environments. Direct access to the host resources is no longer allowed but is controlled by a virtual machine monitor. It should be clear and documented at all times which process or which actor has accessed the host. This makes it easier for the user to check the security of the system.
Another threat to the protection goals is the running of applications by a user.
When running an application the host resources must often be assigned at the abstraction level of a virtual machine. This can lead to the ’starvation’ of an application [41] [14]. An application is said to be starved if a neighboring or higher-priority application utilizes a large amount of a host’s resources and thereby makes it impossible to run another application. The significance of this scenario is highly dependent on the intensity with which applications utilize a host’s resources and influence its capacity.
In the past, bottlenecks have occurred in commercial cloud service offerings which have resulted in the starvation of applications, in particular due to the overutilization of resources [9]. Bottlenecks have, for example, been caused by distributed denial-of-service attacks intended to impair the reliability and availability of a provider’s resources. In order to avoid the risk of starving an application, resource services should be chosen which offer consistently high performance – by requesting monitoring services and analyzing performance history, for example – and/or by imposing contractual penalties for violations of service quality criteria, such as availability.
Host security checklist
• Are procedures adopted which prevent the starving of applications?
• How are the processes of various user applications isolated from each other?
• What procedures are adopted to insulate the host?
• Who has access rights to the hosts in the vendor’s datacenter?
5.2.3 Virtualization
As discussed in the previous section, virtualization is mainly used in cloud com-puting systems to isolate user environments and is consequently an important basic building block in cloud computing systems. At present virtualization is mainly used in datacenters to consolidate computers and to increase the use of the datacenter’s capacity. The possibility of using isolation to create a secure en-vironment is a by-product of virtualization solutions and a key requirement for the separation of user environments and compliance with the protection goals defined in chapter 3 .
Threats at the virtualization level often originate in the management of access rights and the dynamic nature of cloud computing systems. Before using cloud
5 Taxonomy of the security aspects of cloud computing systems
computing systems it is important to define very precisely which users should be authorized to administer the virtual machines, how the file permissions for the virtual machine are defined and what authorization the guest operating system has. In addition to the authorization rights relating to the host, authorization must also be defined at the network level, such as the configuration of a host based firewall or access to other Internet or cloud resources.
Current virtualization solutions, such as Xen1, KVM2, VMWare ESX3or Mi-crosoft’s Hyper-V4, offer the migration of virtual machines between hosts, which can violate one or several protection goals, such as a user’s privacy. In this con-nection checks should be carried out to determine whether a vendor of cloud services uses this feature and what the consequences might possibly be. The vendor should also provide information about the geographical location of the virtual machine, or submit a certificate, as this may be stipulated by law.
Virtualization security checklist
• What virtualization technology does the cloud vendor use?
• How does the cloud vendor ensure that the insulation of the virtual ma-chine is complied with and a virtual mama-chine is not, for example, able to access the memory area of others?
• What measures are taken to protect the virtual machines?
• What is done to prevent faulty virtual machines resulting in memory cor-ruption owing to the exploitation of a security hole?
• What is done if a virtual machine monitor (VMM) is compromised?
• How secure is the communications channel between the virtual machines and the VMM?
5.2.4 Network
The network – and its components such as communication protocols and fil-ter technologies – is another important part of the infrastructure which may influence the security of the cloud computing system. The purpose of commu-nication protocols is to enable uniform use to be made of the cloud services by users and between the computers of one or several cloud computing systems, while filter technologies such as firewalls, intrusion detection systems (IDS) or intrusion prevention systems (IPS) enable only certain network connections and in this way prevent malicious intrusions into the system.
1http://xen.org/
2http://www.linux-kvm.org/page/Main_Page
3http://www.vmware.com/de/
5 Taxonomy of the security aspects of cloud computing systems
The following section summarizes in brief the security aspects of the network of a cloud computing system as a more extensive discussion would go beyond the scope of this study. Cloud computing systems usually only function if they have a reliable network infrastructure; this means that both the cloud user and the cloud vendor need to have an in-depth understanding of network security.
The challenges for cloud computing systems from the point of view of network security are based on compliance with the protection goals introduced in chap-ter 3 and typical requirements for cloud services which should be accessible from anywhere, using any terminal device and using heterogeneous network infrastructures. What is more, the cloud-specific security aspects of networks should also be taken into consideration alongside the secure forwarding of mes-sages and secure multicasting.
Based on the ISO/OSI layer model [1] network access and important security functions can be controlled at various levels, such as at the IP level with IPSec or with TLS/SSL on the transport layer. In this context use is made of proce-dures for insulating network traffic by means of virtualization, access control by means of firewalls, integration of VPN technologies in cloud services as well as procedures for recognizing and removing suspicious network packages using IDS or IPS systems.
Network security checklist
• What procedures are adopted and network security systems used by a cloud vendor?
• What technologies are used in order to stop network intrusions, such as denial-of-service attacks, man-in-the-middle attacks or port scanning?
• How are these systems configured?
• What configurations can or must the cloud consumer use?
• What response is made to security incidents? Does a process model exist?